Docker Community Forums

Share and learn in the Docker community.

CoreOS unable to pull from

(Thefuzz4) #1

Issue Type: Network Connectivity

OS: NAME="Container Linux by CoreOS"
PRETTY_NAME="Container Linux by CoreOS 1465.8.0 (Ladybug)"
HOME_URL="coreos URL
BUG_REPORT_URL="bug report URL

App Version: N/A

Steps to reproduce:
Install CoreOS from VMware Template file
Create cloud-config.yml file
Pull any image from docker. io

So I just built out my first CoreOS VM here at home for something to learn and mess with. I can curl any URL I want all day long except for docker. io. I can curl it from any other machine I want just not this CoreOS box.

When attempting to access docker. io with a pull command for an image I get

Oct 03 16:11:09 deadpool02 env[873]: time="2017-10-03T16:11:09.908262406Z" level=warning msg="Error getting v2 registry: Get net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Oct 03 16:11:09 deadpool02 env[873]: time="2017-10-03T16:11:09.908422727Z" level=error msg="Attempting next endpoint for pull after error: Get net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"
Oct 03 16:11:39 deadpool02 env[873]: time="2017-10-03T16:11:39.909736886Z" level=error msg="Not continuing with pull after error: Network timed out while trying to connect to You may want to check your internet connection or if you are behind a proxy."

I am not behind a proxy on this VLan and I have a CentOS machine running with docker on this same vlan that can pull images just fine.

I can curl z without an issue but it just times out with the docker. io

Here is the iptables for the box

eadpool02 jhamilto # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW multiport dports ssh
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request state NEW,RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Nothing really exciting in there

Here is my cloud-config.yml file

hostname: deadpool02

    - path: /etc/systemd/network/
      permissions: 0644
      content: |

    - path: /etc/iptables.rules
      permissions: 0644
      content: |
        :INPUT DROP [0:0]
        :FORWARD ACCEPT [0:0]
        :OUTPUT ACCEPT [76:7696]
        -A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 22 -j ACCEPT
        -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A INPUT -i lo -j ACCEPT
        -A INPUT -p icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
        -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

  - name: "core"
    passwd: "PASSWORD"
     - sudo
     - docker

        - name: systemd-networkd.service
          command: start
        - name: iptables.service
          command: start
          content: |

            ExecStart=/usr/sbin/iptables-restore /etc/iptables.rules
            ExecReload=/usr/sbin/iptables-restore /etc/iptables.rules
            ExecStop=/usr/sbin/iptables-restore /etc/iptables.rules


This whole thing just has me completely baffled. I’ve checked my firewall logs and it shows that the connections are going through just fine. I’m using my Firewalls DNS so its all internal.

Thank you all for your help and I apologize if this is posted in the wrong section.

(Thefuzz4) #2

This was user error on my part. My pfblockerng was blocking access to AWS